{ config, lib, ... }:
let
  cfg = config.aether.forgejo;
  forgejo = config.services.forgejo;
  srv = forgejo.settings.server;

  useSubdomain = !(builtins.isNull cfg.subdomain);
in {
  imports = [ ./options.nix ];

  # Web server

  services.nginx.enable = true;
  services.nginx.virtualHosts.${srv.DOMAIN} = {
    forceSSL = config.aether.https;
    enableACME = config.aether.https;
    extraConfig = ''
      client_max_body_size 512M;
    '';
    locations."/".proxyPass = "http://localhost:${builtins.toString srv.HTTP_PORT}";
  };

  security.acme.acceptTerms = config.aether.https;
  security.acme.defaults.email = cfg.acmeEmail;

  networking.firewall.allowedTCPPorts = [ 80 443 ];

  # Forgejo

  services.forgejo = {
    enable = true;
    user = cfg.user;
    group = forgejo.user;
    database.user = forgejo.user;

    settings.server = {
      DOMAIN = lib.optionalString useSubdomain "${cfg.subdomain}."
               + config.aether.domain;
      ROOT_URL = "https://${srv.DOMAIN}/";
    };
  };

  systemd.tmpfiles.rules =
    lib.optional (!(builtins.isNull cfg.themes))
      "L+ ${forgejo.stateDir}/custom/public/assets - - - - ${cfg.theme}"
    ++ lib.optional (!(builtins.isNull cfg.templates))
      "L+ ${forgejo.stateDir}/custom/templates - - - - ${cfg.templates}";

  users.users = lib.mkIf cfg.createUser {
    ${forgejo.user} = {
      home = forgejo.stateDir;
      useDefaultShell = true;
      group = forgejo.group;
      isSystemUser = true;
    };
  };
  users.groups = lib.mkIf cfg.createUser {
    ${forgejo.group} = {};
  };
}